UNCLASSIFIED HMG IA Standard No. 1 Technical Risk Assessment

Size: px
Start display at page:

Download "UNCLASSIFIED HMG IA Standard No. 1 Technical Risk Assessment"

Transcription

1 October 2009 Issue No: 3.51 HMG IA Standard No. 1

2 HMG IA Standard No. 1, Issue: 3.51 October 2009 The copyright of this document is reserved and vested in the Crown.

3 Intended Readership This Standard is intended for Risk Managers and IA Practitioners who are responsible for identifying, assessing and treating the technical risks to Information and Communication Technology (ICT) systems and services that handle, store and process government information. This Standard is not intended to be an introduction to the principles of information risk management. Appropriate application of the methodology it contains will require a high level of skill, judgement and experience in the field of Information Assurance. This Standard is aligned and supports the overarching information risk management policy for HMG ICT systems provided by HMG IA Standard No.2, Risk Management and Accreditation of ICT Systems and Services (IS2) (Reference [a]) A CESG Busy Reader Guide, Risk Management and Accreditation, has been produced that provides a high level summary. Executive Summary This Standard is a component of the HMG Security Policy Framework (SPF) (Reference [b]) therefore it is mandatory policy for all HMG Departments and Agencies. It is also recommended for the wider Public Sector. This Standard provides the IA practitioner with a methodology for identifying, assessing and determining the level of risk to an ICT system and a framework for the selection of appropriate risk treatments. This Standard includes definitions of the Business Impact Levels (BIL). The use of these levels is mandatory for HMG (SPF MR 33) and they are recommended for other organisations. The BIL s are aligned with a number of UK sectors, such as the military, the economy and the Critical National Infrastructure (CNI). An understanding of Business Impact Levels is critical to understanding the impact of a compromised information asset. Risk assessment (evaluation) and risk treatment forms part of the overarching process of risk management. The components of risk will change over time and those changes must be factored into the risk assessment to ensure the risk treatment controls are appropriate. Risk Management is therefore an activity that must take place throughout the lifecycle of an ICT system or service. IS2 describes the risk management lifecycle. A key component of a risk assessment is threat. IS1 differentiates between threat sources (those who wish a compromise to occur) and threat actors (those who actually carry out the attack). A method is provided that allows the Analyst to assess the level of threat from threat sources and threat actors including the case where a source may influence or coerce an Page 1

4 actor to mount an attack on their behalf. The output of the risk assessment is a set of risks. Aims and Purpose The aim and purpose of the Standard is to provide a risk assessment and risk treatment process that allows Analysts, Accreditors, SIROs and other interested parties to: Analyse a proposed or existing system to identify risks and estimate the levels of those risks; Select appropriate controls to manage the treatable risks. By providing a common method for estimating risk levels the Standard enables meaningful comparisons between different organisations, which is especially important if they wish to interconnect, interact or rely on shared services for protection. This supports one of the key principles of the National IA Strategy (Reference [c]). Page 2

5 Major Changes from the Previous Issue The following changes have been incorporated: The assessment process has been clarified; The set of minimum assumptions have been dropped to avoid confusion with the Baseline Control Set; Minor changes have been made to the business impact statement tables and a new table that considers impacts to the citizen has been provided; Guidance has been produced about using IS1 throughout the risk management and accreditation lifecycle. This new guidance is consistent with IS2; The treatment of threat has been modified, to make it simpler, clearer and easier to apply. Threat actor clearance and deterrence has moved into the threat level assessment, with some consequential changes such as the disappearance of likelihood as an explicit parameter. The process for assessing coercion of threat actors by threat sources has been clarified. This has resulted in a number of changes to Form 4; A new guided worked example has been developed to reflect these changes. Page 3

6 THIS PAGE IS INTENTIONALLY LEFT BLANK Page 4

7 Contents: Chapter 1 - Introduction...7 Structure of this Standard and How to Use it...7 Status and Applicability...8 Using this Standard...8 Chapter 2 - Risk Management Lifecycle...9 Introduction...9 Risk Appetite and Risk Tolerance...9 Project Lifecycle...10 Chapter 3 - Concepts used in the method...15 Risk Scope...15 Assets, Focus of Interest and Modelling...16 Business Impact Level...16 Threat Sources and Threat Actors.17 Threat Levels...18 Compromise Methods...18 Risk...19 Risk Level...19 Chapter 4 - The Risk Method...21 Outline of the Step-By-Step Method Appendix A: Business Impact Level Tables Introduction Using the tables Appendix B: Modelling Technique 55 Introduction Risk Analysis and Analysis Scope 55 Model Concepts Modelling Reference Guide Appendix C: Threat Actor Type and Compromise Methods Definitions of Threat Actor Types.. 63 Description of Threat Actor Types 65 Compromise Methods Available to Threat Actors Appendix D: Worked Example Introduction Scenario Appendix E: Blank Forms References Glossary Customer Feedback Page 5

8 THIS PAGE IS INTENTIONALLY LEFT BLANK Page 6

9 Chapter 1 - Introduction Key Principles It is a mandatory requirement that HMG Departments and Agencies bound by the SPF carry out risk assessments for their ICT systems using this Standard. IS1 is intended to be used by an IA practitioner. A lot of analysis and professional judgement is required throughout application of this Standard. Structure of this Standard and How to Use it 1. IS1 provides a method to identify and assess the technical risks that an ICT system is exposed to. The key output is a list of prioritised risks that can be used as a basis for risk treatment requirements and options for managing the risks, such as the set of controls provided in ISO 27001, Information Security Management Systems (reference [d]). ISO provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management Systems (ISMS). There may be significant alignment for organisations using both IS1 and ISO Risk assessment is an ongoing process that must be carried out within the broader context of the risk management and accreditation process, as described in IS2. 3. Understanding that the risk components 1 will change throughout the lifecycle of an ICT system (such as during development, in service and end of life) is a key aspect of information risk management. Technical risk must be reviewed at least annually or when there are significant changes to the risk components as required by the SPF, MR 32. For ICT systems handling personal or sensitive information, the risk assessment must be reviewed quarterly. Further detail on alignment of IS1 to the risk management and accreditation lifecycle is contained in Chapter 2, Risk Management Lifecycle. 4. For every HMG ICT system IS2 requires a Privacy Impact (PIA) to be conducted. The first element of that assessment is a screening process to determine if personal or sensitive information is included within the scope of the ICT system. IS1 supports the PIA process, which is described in further detail in IS2. 5. IS1 provides a method to assess technical information risk. It does not provide guidance on the assessment of non-technical risk, such as fire or flood. These risks should be assessed using an appropriate method and included within the overall Risk Management and Accreditation Documentation Set (RMADS). 1 Risk Components are, Assets (Impact), Threat, Vulnerability, Likelihood. Page 7

10 6. Throughout the IS1 method, significant decisions have to be made on risk components such as threat. It is essential that the Accreditor is involved throughout the whole risk assessment process, influencing and agreeing assumptions and decisions. IS1 supports the risk management and accreditation process described in IS2. This Standard requires formal Accreditor sign off of deliverables at various stages, including those delivered by application of IS1. For further information refer to Chapter 2, Risk Management Lifecycle. 7. Within this Standard the must imperative is used to describe a mandatory requirement. The should imperative is used where the application of the measure is recommended but not mandatory. Status and Applicability 8. The SPF MR 32 requires that all Government Departments and Agencies apply this Standard to assess and treat the technical risks to all HMG ICT systems. 9. This Standard is designed to be applicable to a broad range of customers across the public and private sectors. Where this Standard is used by organisations not bound by the SPF (such as Local Authorities), the mandatory requirements should be taken as strong recommendations. This Standard is strongly recommended for e-government related risk assessments, and is endorsed by the e-government Security Framework (reference [e]). 10. This Standard has been produced to be consistent with and support the application of the ISO series, as good practice for the risk management of information systems. Using this Standard 11. IS1 is not prescriptive about how a risk should be treated. As the risk appetite of the organisation and the business context will differ for each. Therefore significant judgements will have to made and, ideally, the analyst should have a solid understanding of the principles of risk management and practical experience of applying them. Technical skills are not critical to using the Standard. 12. The assessment and treatment of technical risk is complex and to achieve accurate outcomes requires a skilled practitioner. Whilst not essential, it is recommended that before using this Standard, practitioners attend a formal training course. 13. Government Departments who require advice on the application of this Standard should approach CESG (via their Customer Account Manager) or consider engaging a member of the CESG Listed Advisors Scheme (CLAS) to support them. Page 8

11 Chapter 2 - Risk Management Lifecycle Key Principles Risk Management is an activity that must take place throughout the lifecycle of an ICT system, from inception, design, in-service delivery and finally decommissioning. IS1 can and should be used in conjunction with the risk management and accreditation process described in IS2. Early project risk assessments may have to make a number of assumptions or generalisations. As more information becomes known about the project and associated components of risk, the risk assessment must be refined and updated. Introduction 14. The risk management and accreditation process is established and fully described in IS2. Risk management is an iterative process that must be carried out throughout the lifecycle of an ICT system, from early planning, system development, in-service and eventually decommissioning and disposal. Effective risk management provides an organisation with confidence that risks to the ICT system and its information are effectively managed whilst allowing business opportunities to be realised. 15. Risk management requires a thorough understanding of business requirements, potential threats and vulnerabilities that may be exploited and an evaluation of the likelihood and impact of a risk being realised. IS1 provides a method to evaluate these factors and risk. This chapter describes how IS1 can, and should, be used throughout the risk management lifecycle. Activities described are aligned to the IS2 stage process. Risk Appetite and Risk Tolerance 16. A Risk appetite statement allows an organisation to communicate the overall level of risk that they are prepared to tolerate in order to achieve their business aims. This statement sets the context for decisions about the acceptable level of risk for particular business activities or projects, known as risk tolerance. Risk tolerance is not a fixed level. An organisation may set an initial risk tolerance for an ICT system, taking into account the organisation s risk appetite, then reconsider that tolerance in the light of new understanding or circumstances. Page 9

12 17. When considering the application of controls to manage information risk, the Analyst should take account of the risk appetite and risk tolerance statements in deciding how robust controls need to be and determining an appropriate assurance plan. Further guidance on risk appetite and risk tolerance is provided in IS2. Project Lifecycle 18. A typical project will begin with a business requirement to be achieved. There may be some organisational statements (such as the risk appetite) and policies; the Analyst and Accreditor may know something about applicable threat sources. At this stage of the project very little is typically known about the design or architecture of the eventual solution and thus little is known about specific vulnerabilities. A risk assessment will provide quite generic outputs and significant assumptions may need to be made. 19. As more is known about the project, and business requirements are refined, the risk assessment can be refined. Generic categories of vulnerability may be able to be deduced, leading to a set of risks and associated security requirements to manage those risks. Typically these security requirements could be used to inform and influence an Invitation To Tender (ITT) and then be used as a basis for tender evaluation. 20. As a system is designed and implemented, knowledge about specific functionality and architecture becomes known. This allows a more refined assessment of vulnerability, controls and assurance in place. Vulnerabilities are never static and thus the risk assessment must regularly and continually take into account these changes as well as changes in the threat environment and business use. Finally, when an ICT system is decommissioned the risk assessment must be updated to evaluate and manage risks associated with decommissioning, such as disposal of equipment. 21. The lifecycle described follows the IS2 staged risk management process. At a number of stages the risk assessment must be refined and updated to reflect improvements in or new knowledge of the components of risk. The following sections describe IS1 activities and outputs required for each IS2 stage. Stage 0 Early Planning and Feasibility 22. The purpose of Stage 0 is to assess and provide early identification of the highlevel IA risks associated with the business requirement. At this stage an IS1 snapshot risk assessment should take place. Page 10

13 Snapshot Risk 23. A snapshot risk assessment follows the IS1 method; however, it recognises the limitations of the level of understanding and detail of risk components. This risk assessment is therefore intended to inform the organisation of the types and magnitudes of risk that will require management in order to help make a decision about whether to proceed. A broad understanding of the business requirement is required for this stage. The normal IS1 method should be followed with the following guidance: Assets at risk of compromise should be understood at a broad and highlevel. The maximum business impacts of compromise of confidentiality integrity and availability should be assessed. Categories of threat sources should be assessed and understood at this stage. Corporate threat information may exist. At this stage of the project there may be little refined understanding of threat actors, however broad categories should be understood and assessed. For example, it will be known whether there will be system users or not. A snapshot of risk level can be evaluated. This will provide an indication of the level and types of risk that will need to be managed. In addition, at this stage the Analyst and Accreditor should be able to assess which Segmentation Model levels will be applicable. 24. Where the proposed system includes interconnections to or dependencies on other systems, then a similar snapshot assessment should be carried out for that system. Stage 1 Accreditation Strategy 25. The aim of Stage 1 is to define and develop an accreditation strategy. This strategy should include definition of how the risk assessment and risk treatment method (as described in this Standard) will influence and be incorporated into the RMADS. 26. As more becomes known about the components of risk, the snapshot assessment can be refined and developed. In particular, more will be known about the application of the baseline controls and which risks will require controls at higher levels of the Segmentation Model. At this stage, controls will be defined in terms of control objectives set out in a security case. That is, they will describe functionally the purpose of the control but may not define how that control will be achieved. For example, a control objective to stop malware executing could be achieved by stopping the malware at a boundary or by using an executable white list. The security case will begin to define how assurance might be achieved, recognising that there is still a lot of uncertainty of the final solution. Page 11

14 27. The draft security case supports the risk treatment plan that is required to be produced for the RMADS at this stage. Stage 2 IA Requirements 28. Stage 2 aims to develop a set of IA requirements that are of sufficient quality to be included in an ITT process. The requirements should give adequate guidance to potential suppliers and be able to provide a basis for discrimination between different bids. 29. This stage is at the core of IS1. The risk assessment method should be carried out in full, with a more developed analysis of the business requirements, threat sources and threat actors (including threat sources influencing threat actors). 30. All HMG systems are expected to apply a full set of baseline controls, with any exceptions justified and agreed with the Accreditor. For risks that require treatment at a higher level of the Segmentation Model, control objectives should be developed. These objectives must be of sufficient quality that they can be used as a basis for supplier discrimination, contract negotiation and that once a solution is developed against those requirements, it will provide the overall required levels of risk management. Assurance requirements must also be defined at this stage, as the assurance activities required will need to be built into the ITT and therefore the suppliers cost model. Both the control objectives and assurance requirements must be built into the security case and RMADS 31. It is critical that this stage is carefully and completely followed. Once a set of security requirements have been agreed contractually, it may be extremely difficult and expensive to later request changes or debate ambiguity. Stage 3 Options and Selection 32. The purpose of Stage 3 is to assess the supplier s ability to deliver a solution that meets the IA and business requirements. The bids provided should be assessed against the security requirements defined in Stage 2. Security requirements contained within the ITT will typically take the form of control objectives. The suppliers will propose a solution that aims to meet those objectives with associated assurance. Stage 4 Accreditation in Development and Acceptance 33. The aim of Stage 4 is to confirm that the delivered solution is fit for purpose, meets the security requirements and can be accredited. It is at this stage where considerably more information about the system risks becomes known. IS1 uses the concept of compromise methods. These can be thought of as a generalisation of possible vulnerabilities that a threat actor could exploit. As more information is Page 12

15 known these compromise methods can be developed by the Analyst to deliver a greater level of granularity to the risk assessment. 34. As more is known about the architecture and design of the solution, more will be known about how threat actors might be able to exercise particular compromise methods, what controls are in place and what vulnerabilities remain. The strength of a set of controls that manage risks from a given set of threats must take account of the risk tolerance statement. This statement will provide a qualitative measure of how robust the controls need to be and what residual vulnerability may be acceptable. For example if the risk was related to malware exercising a known vulnerability 2 : If the risk tolerance level is stated as Very Low this may mean that all system components require immediate patching all of the time. If the risk tolerance level is stated as Medium this may mean that patches can be grouped and applied as a batch. 35. The Analyst should ensure that the solution effectively delivers all of the baseline controls and that appropriate assurance is in place or planned. Similarly the Analyst should ensure that all control objectives at higher Segmentation Model levels are sufficiently implemented and assured. The Analyst should: In light of the design or solution, for each risk (or set of similar risks) deduce how the compromise method relates to different ways of compromising the system. For example, a system has and web browsing to the Internet. One risk will be that an Internet connected threat agent performs a network attack. In this case network attack may compromise: o Abuse of protocol (such as SMTP); o Abuse of web protocols (such as HTTP); o Abuse of any other protocol, which is disallowed in the policy. The Analyst can then deduce whether the solution effectively manages these decomposed risks and any gaps. These solution gaps must be recorded in the updated security case and included in the RMADS. Similarly, any assurance gaps must be recorded in the updated security case and included in the RMADS. 2 Note that these statements are just examples of how the risk tolerance level may influence controls; they are not necessarily appropriate responses. Page 13

16 Stage 5 Risk Management In-Service & Accreditation Maintenance 36. Stage 5 aims to ensure that the ICT system is and remains compliant with the corporate security policy and the agreed IA requirements (including assurance) as documented in the RMADS. 37. As a system is used, the specific business uses may vary, threats may change and new vulnerabilities will be discovered. The risk assessment must reflect the current prevailing risk components. It is therefore essential to regularly review and update the risk assessment. 38. The SPF (MR 32) requires that all ICT systems are subject to an annual risk assessment or an updated assessment when there is significant change to any of the risk components. The latest threat and vulnerability assessments should be reviewed (at least annually) and the risk assessment correspondingly updated. In particular when system profile changes (such as a new interconnection) then the risk assessment must be revisited and updated. 39. Assurance activities must continue throughout the lifecycle of the ICT system. Accreditors and IA Practitioners should consider the CESG Assurance Framework to ensure that assurance has been considered in the round. Stage 6 Secure Decommissioning and Disposal 40. The final stage (6) aims to ensure that an ICT system is decommissioned and disposed of in a secure way. There are likely to be specific risks associated with this final stage that should be assessed using IS1. The disposal or reuse of equipment or media that has not been securely erased may compromise the confidentiality of any data on media left on the system. Page 14

17 Chapter 3 - Concepts used in the method Key Principles The scope of a risk assessment can be defined to include services delivered by the project, other components such as external connections that require analysis as well as components that are provided and accredited by others and can be trusted. IS1 differentiates between a threat source and a threat actor. A threat source is somebody who wishes a compromise to occur, or would benefit from a compromise occurring. A threat actor is somebody who would actually mount the attack. A threat source can influence or coerce a threat actor to mount an attack on their behalf. The IS1 risk assessment method takes the concept of a threat actor, using a compromise method to compromise the confidentiality, integrity or availability of information or an ICT system. Risk Scope 41. ICT systems are typically not developed in isolation and either rely upon, or deliver controls for, other systems outside of the scope of the project. A risk assessment may therefore involve consideration of facilities and services that have been, or need to be, accredited by another organisation. To accommodate these situations this Standard introduces the concepts of Accreditation Scope, Reliance Scope and Analysis Scope. 42. The Accreditation Scope includes all of the capability and services for which the project is responsible for delivering. This will typically be the same as the scope of the project. 43. The Reliance Scope identifies capability and services that the accreditation scope relies upon, but is not directly supplied by the project. A trusted risk assessment and accreditation of these components is required in order to rely upon them without further analysis. For example a project may decide to rely upon services provided by the Government Secure Intranet (GSI), without having to accredit those services themselves. The use of shared services should come within the reliance scope. 44. The Analysis Scope includes everything that is part of the risk assessment. This includes everything that is part of the project and reliance scope as well as considering business information exchange requirements and system connections. Page 15

18 45. Where a project team is responsible for all the defences to protect its assets, the project and reliance scopes will be the same. However, often projects provide services to other projects and/or rely on other projects to provide security services. This Standard requires that you explicitly identify these dependencies. Assets, Focus of Interest and Modelling 46. An asset is broadly defined in IS2 as anything, which has value to an organisation, its business operations and its continuity. If the confidentiality, integrity or availability of an asset is compromised then there will be an impact felt by the business or other stakeholders. 47. A Focus of Interest (FoI) is a collection of assets, with associated features that are the subject of a given risk assessment. In essence, a FoI simply acts to conveniently group assets so that a risk assessment can be conducted for the group, rather than requiring an assessment of each individual component. 48. The IS1 method contains a modelling technique, that allows the Analyst to model assets under consideration to help them gain a greater understanding of the system. Use of the modelling technique is recommended but not mandatory. If the user prefers a different method of modelling the system they are free to use that method, so long as the Accreditor is content with the approach. 49. The core of the modelling technique is based around model objects. These include assets but the term also includes things that would not normally be considered explicitly as assets, such as support objects or connection objects. The detail of the model objects and modelling technique is contained within Appendix B. Business Impact Level 50. The successful exploitation of a compromise method by a threat actor will result in compromise of Confidentiality, Integrity or Availability (C, I or A) of an asset. This compromise will have a business impact. The SPF and this Standard ranks business impact on a seven-point (0 to 6) numerical scale. Appendix A lists a series of criteria, grouped according to UK sectors, by which to judge the appropriate Business Impact Level (BIL). 51. Business impact is by definition the impact that a compromise has on the operations or efficiency of the organisation or on customers or citizens. It is for the organisation to make a business led decision on the appropriate BIL to assign to an asset. 52. The business impact level tables presented in Appendix A, describe impacts from the common perspective of UK Society. For example the impact of a given financial loss to a small company, large company or HMG is taken from the Page 16

19 perspective of damage to the UK economy, rather than the perspective of the individual organisation. 53. Where the business impact of compromise of a set of assets is greater than the impact of an individual compromise, aggregation applies. Care should be taken when considering aggregation. Where a set of information has a higher BIL because of aggregation it does not necessarily follow that the applicable threats have increased. This means that it is not always appropriate to increase the Protective Marking of information (for confidentiality) when the BIL rises due to aggregation. For example a database of many IL3 (for confidentiality) records may aggregate to IL5. It does not follow that this database should be marked SECRET, as this would lead to disproportionate and inappropriate controls being required. CESG GPG 9, Taking Account of the Aggregation of information (reference [f]) provides further detail. Threat Sources and Threat Actors 54. This Standard distinguishes between threat sources and threat actors, although one person or organisation may be both a source and an actor. 55. A threat source is a person or organisation that desires to breach security and ultimately will benefit from the breach in some way. A threat actor is a person who actually performs the attack or, in the case of accidents, will cause the accident. For example a criminal may wish to breach the confidentiality of some HMG data. The criminal wishes the breach of security to happen and thus is the threat source. If the criminal persuades a system user to release the desired information to them then the user is actually carrying out the attack. They are the threat actor. 56. Every system will have authorised users, who are threat actors for some compromise methods. Occasionally, it may be desirable to split authorised users into groups if their capability, motivation or security clearance varies considerably. For example it may be useful to consider DV and BS cleared authorised users of the same system as two different groups of threat actors. 57. A threat actor group is a group of people who can reasonably be considered to have the same characteristics in terms of capability, motivation and opportunity to perform an attack. For example a Department s set of cleaners may be grouped together as one threat actor group, rather than conducting a risk assessment for each individual cleaner. 58. The threat actor type is a key concept in this Standard because is defines the types of attack that a threat actor can mount. Each threat actor belongs to one or more threat actor types according to the degree and type of access to an asset. These threat actor types are: Page 17

20 Bystander (BY) Handler (HAN) Indirectly Connected (IC) Information Exchange Partner (IEP) Normal User (NU) Person Within Range (PWR) Physical Intruder (PI) Privileged User (PU) Service Consumer (SC) Service Provider (SP) Shared Service Subscriber (SSS) Supplier (SUP) These threat actor types are described more fully in Appendix C. 59. The list of threat actor types is intended to be exhaustive in that any threat actor will fit into one or more threat actor types. If a situation arises where a threat actor group cannot fit into any of the types then discretion may be used to create and use a new type. Threat Levels 60. The threat level is a value attributed to the combination of the capability and motivation of a threat actor or threat source to attack an asset. It takes into account any clearances that may apply to the threat actors and whether they are considered Deterrable. Compromise Methods 61. A compromise method is the broad type of attack by which a threat actor may attempt to compromise the C, I or A of an asset. Once the threat actors' types have been determined it is straightforward to identify from Appendix C, the compromise methods they might use, and then consider which of those are actually plausible. 62. The compromise methods are stated at a very high level (such as Deliberately Disrupts) and could include several detailed types of attack. As such the compromise methods can be thought of as a generalisation of vulnerability. When the Analyst has more detailed information about the system and understands elements of the architecture and deployed controls they can deconstruct the compromise methods to provide more detail in their specific risk assessment. For example the compromise method Misuses Business or Network Connections could be decomposed into specific vulnerabilities that arise because of the business requirements and the designed architecture. Page 18

HMG Security Policy Framework

HMG Security Policy Framework HMG Security Policy Framework Security Policy Framework 3 Foreword Sir Jeremy Heywood, Cabinet Secretary Chair of the Official Committee on Security (SO) As Cabinet Secretary, I have a good overview of

More information

National Approach to Information Assurance 2014-2017

National Approach to Information Assurance 2014-2017 Document Name File Name National Approach to Information Assurance 2014-2017 National Approach to Information Assurance v1.doc Author David Critchley, Dave Jamieson Authorisation PIAB and IMBA Signed version

More information

IT Heath Check Scoping guidance ALPHA DRAFT

IT Heath Check Scoping guidance ALPHA DRAFT IT Heath Check Scoping guidance ALPHA DRAFT Version 0.1 November 2014 Document Information Project Name: ITHC Guidance Prepared By: Mark Brett CLAS Consultant Document Version No: 0.1 Title: ITHC Guidance

More information

SCOTTISH CENSUS INDEPENDENT SECURITY REVIEW REPORT

SCOTTISH CENSUS INDEPENDENT SECURITY REVIEW REPORT SCOTTISH CENSUS INDEPENDENT SECURITY REVIEW REPORT Issue 1.0 Date 24/03/2011 Logica is a business and technology service company, employing 39,000 people. It provides business consulting, systems integration

More information

developing your potential Cyber Security Training

developing your potential Cyber Security Training developing your potential Cyber Security Training The benefits of cyber security awareness The cost of a single cyber security incident can easily reach six-figure sums and any damage or loss to a company

More information

UNCLASSIFIED CESG ASSURED SERVICE CAS SERVICE REQUIREMENT DESTRUCTION. Version 1.0. Crown Copyright 2012 All Rights Reserved.

UNCLASSIFIED CESG ASSURED SERVICE CAS SERVICE REQUIREMENT DESTRUCTION. Version 1.0. Crown Copyright 2012 All Rights Reserved. CESG ASSURED SERVICE CAS SERVICE REQUIREMENT DESTRUCTION Version 1.0 Crown Copyright 2012 All Rights Reserved Page 1 Document History Version Date Description 0.1 June 2012 Initial Draft Version 1.0 July

More information

SCC Information Assurance Practice, CLAS Consulting, Check Testing and Accreditation Services

SCC Information Assurance Practice, CLAS Consulting, Check Testing and Accreditation Services SCC Information Assurance Practice, CLAS Consulting, Check Testing and Accreditation Services Contents 1 Introduction...2 2 IA, CLAS Consulting and CHECK Testing...3 3 Information Assurance...4 4 Accreditation...5

More information

RISK MANAGEMENT AND ACCREDITATION OF INFORMATION SYSTEMS ALSO RELEASED AS HMG INFOSEC STANDARD NO. 2

RISK MANAGEMENT AND ACCREDITATION OF INFORMATION SYSTEMS ALSO RELEASED AS HMG INFOSEC STANDARD NO. 2 RISK MANAGEMENT AND ACCREDITATION OF INFORMATION SYSTEMS ALSO RELEASED AS HMG INFOSEC STANDARD NO. 2 AUGUST 2005 This paper was previously published by the National Infrastructure Security Co-ordination

More information

A GOOD PRACTICE GUIDE FOR EMPLOYERS

A GOOD PRACTICE GUIDE FOR EMPLOYERS MITIGATING SECURITY RISK IN THE NATIONAL INFRASTRUCTURE SUPPLY CHAIN A GOOD PRACTICE GUIDE FOR EMPLOYERS April 2015 Disclaimer: Reference to any specific commercial product, process or service by trade

More information

Thales Service Definition for PSN Secure Email Gateway Service for Cloud Services

Thales Service Definition for PSN Secure Email Gateway Service for Cloud Services Thales Definition for PSN Secure Email Gateway Thales Definition for PSN Secure Email Gateway for Cloud s April 2014 Page 1 of 12 Thales Definition for PSN Secure Email Gateway CONTENT Page No. Introduction...

More information

Appendix 3 - Joint FRS Information Security & Assurance Sub Group Action Plan

Appendix 3 - Joint FRS Information Security & Assurance Sub Group Action Plan Appendix 3 - Joint FRS Information Security & Assurance Sub Group Action Plan HFR Version 2 5th Oct 2010 Objective 1 - Introduce mandatory requirements 11, 12, 14, 15, 16, 19, 21, 31, 32, 33, 34, 35, 36,

More information

April 2015 Issue No:1.0. Application Guidance - CCP Security and Information Risk Advisor Role, Practitioner Level

April 2015 Issue No:1.0. Application Guidance - CCP Security and Information Risk Advisor Role, Practitioner Level April 2015 Issue No:1.0 Application Guidance - CCP Security and Information Risk Advisor Role, Practitioner Level Application Guidance CCP Security and Information Risk Advisor Role, Practitioner Level

More information

Government Security Classifications FAQ Sheet 2: Managing Information Risk at OFFICIAL. v2.0 March 2014

Government Security Classifications FAQ Sheet 2: Managing Information Risk at OFFICIAL. v2.0 March 2014 Government Security Classifications FAQ Sheet 2: Managing Information Risk at OFFICIAL v2.0 March 2014 This FAQ describes how risk management activities should be conducted for the new OFFICIAL classification.

More information

NATIONAL RECORDS OF SCOTLAND preserving the past; recording the present; informing the future. 2011 Census

NATIONAL RECORDS OF SCOTLAND preserving the past; recording the present; informing the future. 2011 Census NATIONAL RECORDS OF SCOTLAND preserving the past; recording the present; informing the future 2011 Census Information Assurance Policy Statement By the UK Census Offices June 2011 NATIONAL RECORDS OF SCOTLAND

More information

DVLA ELISE GSi Closed User Group Code of Connection

DVLA ELISE GSi Closed User Group Code of Connection DVLA ELISE GSi Closed User Group Code of Connection Security Warning Notice The following handling instructions apply to this document: - Handle, use and transmit with care - Take basic precautions against

More information

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13 Cyber Security Consultancy Standard Version 0.2 Crown Copyright 2015 All Rights Reserved Page 1 of 13 Contents 1. Overview... 3 2. Assessment approach... 4 3. Requirements... 5 3.1 Service description...

More information

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to

More information

February 2015 Issue No: 5.2. CESG Certification for IA Professionals

February 2015 Issue No: 5.2. CESG Certification for IA Professionals February 2015 Issue No: 5.2 CESG Certification for IA Professionals Issue No: 5.2 February 2015 The copyright of this document is reserved and vested in the Crown. This document may not be reproduced or

More information

Good Practice Guide Security Incident Management

Good Practice Guide Security Incident Management October 2015 Issue No: 1.2 Good Practice Guide Security Incident Management Customers can continue to use this guidance. The content remains current, although may contain references to legacy SPF policy

More information

CESG ASSURED SERVICE CAS SERVICE REQUIREMENT TELECOMMUNICATIONS

CESG ASSURED SERVICE CAS SERVICE REQUIREMENT TELECOMMUNICATIONS CESG ASSURED SERVICE CAS SERVICE REQUIREMENT TELECOMMUNICATIONS Issue 1.1 Crown Copyright 2015 All Rights Reserved 1 of 9 Document History Version Date Description 0.1 November 2012 Initial Draft Version

More information

Government Security Classifications April 2014

Government Security Classifications April 2014 Government Security Classifications April 2014 Version 1.0 October 2013 THE GOVERNMENT SECURITY CLASSIFICATIONS WILL COME INTO FORCE ON 2 APRIL 2014 Page 1 of 35 Version 1.0 October 2013 Version History

More information

OUTSOURCING: SECURITY GOVERNANCE FRAMEWORK FOR IT MANAGED SERVICE PROVISION GOOD PRACTICE GUIDE 2 ND EDITION

OUTSOURCING: SECURITY GOVERNANCE FRAMEWORK FOR IT MANAGED SERVICE PROVISION GOOD PRACTICE GUIDE 2 ND EDITION Ongoing personnel security: A good practice guide OUTSOURCING: SECURITY GOVERNANCE FRAMEWORK FOR IT MANAGED SERVICE PROVISION GOOD PRACTICE GUIDE 2 ND EDITION JUNE 2009 Abstract This paper provides a guide

More information

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority Internal Audit Progress Report (19 th August 2015) Contents 1. Introduction 2. Key Messages for Committee Attention 3. Work in progress Appendix A: Risk Classification and Assurance Levels Appendix B:

More information

HMG Security Policy Framework

HMG Security Policy Framework HMG Security Policy Framework Version 11.0 October 2013 Contents Introduction... 4 Government Security Responsibilities... 4 Role of the Centre... 5 Policy Context... 7 Critical National Infrastructure

More information

Information Security Team

Information Security Team Title Document number Add document Document status number Draft Owner Approver(s) CISO Information Security Team Version Version history Version date 0.01-0.05 Initial drafts of handbook 26 Oct 2015 Preface

More information

Identifying Information Assets and Business Requirements

Identifying Information Assets and Business Requirements Identifying Information Assets and Business Requirements This guidance relates to: Stage 1: Plan for action Stage 2: Define your digital continuity requirements Stage 3: Assess and manage risks to digital

More information

Guide to Penetration Testing

Guide to Penetration Testing What to consider when testing your network HALKYN CONSULTING 06 May 11 T Wake CEH CISSP CISM CEH CISSP CISM Introduction Security breaches are frequently in the news. Rarely does a week go by without a

More information

How to gain accreditation for a G-Cloud Service

How to gain accreditation for a G-Cloud Service www.ascentor.co.uk How to gain accreditation for a G-Cloud Service Demystify the process As a registered supplier of G-Cloud services you will be keenly aware that getting onto the G-Cloud framework does

More information

Digital Continuity in ICT Services Procurement and Contract Management

Digital Continuity in ICT Services Procurement and Contract Management Digital Continuity in ICT Services Procurement and Contract Management This guidance relates to: Stage 1: Plan for action Stage 2: Define your digital continuity requirements Stage 3: Assess and manage

More information

Infrastructure Information Security Assurance (ISA) Process

Infrastructure Information Security Assurance (ISA) Process Infrastructure Information Security Assurance (ISA) Process Handbook AS-805-B March 2005 Transmittal Letter A. Explanation. As part of the Postal Service s efforts to enhance security across all technology

More information

D-G4-L4-126 Police contact management and demand reduction review Deloitte LLP Service for G-Cloud IV

D-G4-L4-126 Police contact management and demand reduction review Deloitte LLP Service for G-Cloud IV D-G4-L4-126 Police contact management and demand reduction review Deloitte LLP Service for G-Cloud IV September 2013 Contents 1 Service Overview 1 2 Detailed Service Description 2 3 Commercials 6 4 Our

More information

A Guide to the Cyber Essentials Scheme

A Guide to the Cyber Essentials Scheme A Guide to the Cyber Essentials Scheme Published by: CREST Tel: 0845 686-5542 Email: admin@crest-approved.org Web: http://www.crest-approved.org/ Principal Author Jane Frankland, Managing Director, Jane

More information

Risk Management Policy

Risk Management Policy Risk Management Policy Responsible Officer Author Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date effective from December 2008 Date last amended December 2012

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

06100 POLICY SECURITY AND INFORMATION ASSURANCE

06100 POLICY SECURITY AND INFORMATION ASSURANCE Version: 5.4 Last Updated: 30/01/14 Review Date: 27/01/17 ECHR Potential Equality Impact Assessment: Low Management of Police Information (MoPI) The Hampshire Constabulary recognises that any information

More information

SPEAR PHISHING UNDERSTANDING THE THREAT

SPEAR PHISHING UNDERSTANDING THE THREAT SPEAR PHISHING UNDERSTANDING THE THREAT SEPTEMBER 2013 Due to an organisation s reliance on email and internet connectivity, there is no guaranteed way to stop a determined intruder from accessing a business

More information

Essex County Council Policy for Information Management and Security

Essex County Council Policy for Information Management and Security Essex County Council Policy for Information Management and Security Title Author/Owner Status Essex County Council Policy for Information Management and Security Information Management IS Final Version

More information

Information governance strategy 2014-16

Information governance strategy 2014-16 Information Commissioner s Office Information governance strategy 2014-16 Page 1 of 16 Contents 1.0 Executive summary 2.0 Introduction 3.0 ICO s corporate plan 2014-17 4.0 Regulatory environment 5.0 Scope

More information

Technology management in warship acquisition

Technology management in warship acquisition management in warship acquisition A J Shanks B.Eng(Hons) MIET BMT Defence Services Limited SYNOPSIS Today s warship designers and engineers look to technology to provide warships and systems better, cheaper

More information

Application Guidance CCP Penetration Tester Role, Practitioner Level

Application Guidance CCP Penetration Tester Role, Practitioner Level August 2014 Issue No: 1.0 Application Guidance CCP Penetration Tester Role, Practitioner Level Application Guidance CCP Penetration Tester Role, Practitioner Level Issue No: 1.0 August 2014 This document

More information

Cyber Essentials Scheme

Cyber Essentials Scheme Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these

More information

UK Government IA Recent Changes and Update

UK Government IA Recent Changes and Update UK Government IA Recent Changes and Update INTRODUCTION Agenda Part 1 Government IA and Cyber Security Background Quick Threat Update UK Government Cyber Security Initiative Government Asset Control in

More information

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY SMALL BUSINESSES WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY ONE CLICK CAN CHANGE EVERYTHING SMALL BUSINESSES My reputation was ruined by malicious emails ONE CLICK CAN CHANGE EVERYTHING Cybercrime comes

More information

RISK MANAGEMENT FRAMEWORK. 2 RESPONSIBLE PERSON: Sarah Price, Chief Officer

RISK MANAGEMENT FRAMEWORK. 2 RESPONSIBLE PERSON: Sarah Price, Chief Officer RISK MANAGEMENT FRAMEWORK 1 SUMMARY The Risk Management Framework consists of the following: Risk Management policy Risk Management strategy Risk Management accountability Risk Management framework structure.

More information

Small businesses: What you need to know about cyber security

Small businesses: What you need to know about cyber security Small businesses: What you need to know about cyber security March 2015 Contents page What you need to know about cyber security... 3 Why you need to know about cyber security... 4 Getting the basics right...

More information

Corporate Information Security Policy

Corporate Information Security Policy Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives

More information

ICT and Information Security Resources

ICT and Information Security Resources Methods GCloud Service Definition ICT and Information Security Resources HEAD OFFICE: 125 Shaftesbury Avenue, London WC2H 8AD Scottish Office: Exchange Place 2, 5 Semple Street, Edinburgh, EH3 8BL t: +44

More information

Assessment of Software for Government

Assessment of Software for Government Version 1.0, April 2012 Aim 1. This document presents an assessment model for selecting software, including open source software, for use across Government, and the wider UK public sector. 2. It is presented

More information

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation) It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The

More information

Security Consultants / Security Managed Services

Security Consultants / Security Managed Services Security Consultants / Security Managed Services Service Definition Document for G-Cloudv7 Services October 2015 Table of Contents Service Overview...3 Our Approach... 3 Features... 3 Benefits... 4 ON-BOARDING

More information

Information Security Management System (ISMS) Policy

Information Security Management System (ISMS) Policy Information Security Management System (ISMS) Policy April 2015 Version 1.0 Version History Version Date Detail Author 0.1 18/02/2015 First draft Andy Turton 0.2 20/02/2015 Updated following feedback from

More information

Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis

Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis An analogue approach to a digital world What foundations is CDCAT built on?

More information

AUDIT COMMITTEE 10 DECEMBER 2014

AUDIT COMMITTEE 10 DECEMBER 2014 AUDIT COMMITTEE 10 DECEMBER 2014 AGENDA ITEM 8 Subject Report by MANAGEMENT OF INFORMATION RISKS DIRECTOR OF CORPORATE SERVICES Enquiries contact: Tony Preston, Ext 6541, email tony.preston@chelmsford.gov.uk

More information

Supplier Assurance Framework Good Practice Guide

Supplier Assurance Framework Good Practice Guide Supplier Assurance Framework Good Practice Guide Version 2.0 February 2015 1 P a g e V e r s i o n 2. 0 F e b 1 5 Contents INTRODUCTION... 3 SUPPLIER ASSURANCE FRAMEWORK OVERVIEW... 4 USING THE STATEMENT

More information

Guidance on Risk Management, Internal Control and Related Financial and Business Reporting

Guidance on Risk Management, Internal Control and Related Financial and Business Reporting Guidance Corporate Governance Financial Reporting Council September 2014 Guidance on Risk Management, Internal Control and Related Financial and Business Reporting The FRC is responsible for promoting

More information

NHS Information Risk Management

NHS Information Risk Management NHS Information Risk Management Digital Information Policy NHS Connecting for Health January 2009 Contents Introduction Roles and Responsibilities Information Assets Information Risk Policies Links with

More information

Procurement Policy Note Use of Cyber Essentials Scheme certification

Procurement Policy Note Use of Cyber Essentials Scheme certification Procurement Policy Note Use of Cyber Essentials Scheme certification Action Note 09/14 25 September 2014 Issue 1. Government is taking steps to further reduce the levels of cyber security risk in its supply

More information

Gateway review guidebook. for project owners and review teams

Gateway review guidebook. for project owners and review teams Gateway review guidebook for project owners and review teams The State of Queensland (Queensland Treasury and Trade) 2013. First published by the Queensland Government, Department of Infrastructure and

More information

CESG Certification of Cyber Security Training Courses

CESG Certification of Cyber Security Training Courses CESG Certification of Cyber Security Training Courses Supporting Assessment Criteria for the CESG Certified Training (CCT) Scheme Portions of this work are copyright The Institute of Information Security

More information

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING CPNI VIEWPOINT 01/2010 CLOUD COMPUTING MARCH 2010 Acknowledgements This viewpoint is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected

More information

Cyber Essentials Scheme. Summary

Cyber Essentials Scheme. Summary Cyber Essentials Scheme Summary June 2014 Introduction... 3 Background... 4 Scope... 4 Assurance Framework... 5 Next steps... 6 Questions about the scheme?... 7 2 Introduction The Cyber Essentials scheme

More information

Embrace the G-Cloud. Ultra Secure Colocation Services for the Public Sector. thebunker.net Phone: 01304 814800 Fax: 01304 814899 info@thebunker.

Embrace the G-Cloud. Ultra Secure Colocation Services for the Public Sector. thebunker.net Phone: 01304 814800 Fax: 01304 814899 info@thebunker. Embrace the G-Cloud Ultra Secure Colocation Services for the Public Sector 1 Phone: 01304 814800 Fax: 01304 814899 info@ Contents Introduction What is G-Cloud? Types of accreditation: Business Impact Levels

More information

Digital Continuity Plan

Digital Continuity Plan Digital Continuity Plan Ensuring that your business information remains accessible and usable for as long as it is needed Accessible and usable information Digital continuity Digital continuity is an approach

More information

Security Accreditation: Not Just a Tick in a Box

Security Accreditation: Not Just a Tick in a Box www.thalescyberassurance.com In this white paper Security accreditation is too often approached as a box ticking exercise. There is an opportunity cost here little acknowledged. This white paper from Thales

More information

Smart Security. Smart Compliance.

Smart Security. Smart Compliance. Smart Security. Smart Compliance. SRM are dedicated to helping our clients stay safe in the information environment. With a wide range of knowledge and practical experience, our consultants are ready to

More information

CPS SECURITY & INFORMATION RISK MANAGEMENT POLICY CPS SECURITY & INFORMATION RISK MANAGEMENT POLICY 2013-2014

CPS SECURITY & INFORMATION RISK MANAGEMENT POLICY CPS SECURITY & INFORMATION RISK MANAGEMENT POLICY 2013-2014 CPS SECURITY & INFORMATION RISK MANAGEMENT POLICY 2013-2014 1 Version 1.0 CONTENTS Security Risks 3 Information Assurance Risk 3 Spreading Best Practice 3 Reporting Risks Upwards 4 Typical Risk Escalation

More information

Lexcel England and Wales v6 Guidance notes for in-house legal departments Excellence in practice management and client care. 2015 The Law Society.

Lexcel England and Wales v6 Guidance notes for in-house legal departments Excellence in practice management and client care. 2015 The Law Society. Excellence in practice management and client care 2015 The Law Society. Contents Introduction... 3 PART ONE - GUIDANCE AGAINST LEXCEL STANDARD REQUIREMENTS... 4 1 - Structure and strategy... 4 2 - Financial

More information

TEC Capital Asset Management Standard January 2011

TEC Capital Asset Management Standard January 2011 TEC Capital Asset Management Standard January 2011 TEC Capital Asset Management Standard Tertiary Education Commission January 2011 0 Table of contents Introduction 2 Capital Asset Management 3 Defining

More information

The Gateway Review Process

The Gateway Review Process The Gateway Review Process The Gateway Review Process examines programs and projects at key decision points. It aims to provide timely advice to the Senior Responsible Owner (SRO) as the person responsible

More information

Enterprise Security Governance. Robert Coles Chief Information Security Officer and Global Head of Digital Risk & Security

Enterprise Security Governance. Robert Coles Chief Information Security Officer and Global Head of Digital Risk & Security Enterprise Security Governance Robert Coles Chief Information Security Officer and Global Head of Digital Risk & Security Governance and Organisational Model Risk Mgmt & Reporting Digital Risk & Security

More information

Good Practice Guide: the internal audit role in information assurance

Good Practice Guide: the internal audit role in information assurance Good Practice Guide: the internal audit role in information assurance Janaury 2010 Good Practice Guide: the internal audit role in information assurance January 2010 Official versions of this document

More information

Risk Management Policy and Process Guide

Risk Management Policy and Process Guide Risk Management Policy and Process Guide Status: pending Next review date: December 2015 Page 1 Information Reader Box Directorate Medical Nursing Patients & Information Commissioning Operations (including

More information

Cyber Essentials Scheme. Protect your business from cyber threats and gain valuable certification

Cyber Essentials Scheme. Protect your business from cyber threats and gain valuable certification Cyber Essentials Scheme Protect your business from cyber threats and gain valuable certification Why you need it Cybercrime appears in the news on an almost daily basis - but it s not just the large and

More information

Computer Security Lecture 13

Computer Security Lecture 13 Computer Security Lecture 13 Risk Analysis Erland Jonsson (based on material from Lawrie Brown) Department of Computer Science and Engineering Chalmers University of Technology Sweden Security Management

More information

Procurement Transformation Division. Procurement guidance. Engaging and managing consultants. Includes definitions for consultants and contractors

Procurement Transformation Division. Procurement guidance. Engaging and managing consultants. Includes definitions for consultants and contractors Procurement guidance Engaging and managing consultants Includes definitions for consultants and contractors Procurement guidance: Engaging and managing consultants Page 2 of 17 Table of contents Table

More information

Information Management Advice 39 Developing an Information Asset Register

Information Management Advice 39 Developing an Information Asset Register Information Management Advice 39 Developing an Information Asset Register Introduction The amount of information agencies create is continually increasing, and whether your agency is large or small, if

More information

Security & Privacy Current cover and Risk Management Services

Security & Privacy Current cover and Risk Management Services Security & Privacy Current cover and Risk Management Services Introduction Technological advancement has enabled greater working flexibility and increased methods of communications. However, new technology

More information

Service Definition Document

Service Definition Document Service Definition Document QinetiQ Secure Cloud Protective Monitoring Service (AWARE) QinetiQ Secure Cloud Protective Monitoring Service (DETER) Secure Multi-Tenant Protective Monitoring Service (AWARE)

More information

Oracle Business Intelligence Enterprise Edition (OBIEE) Version 10.1.3.3.2 with Quick Fix 090406 running on Oracle Enterprise Linux 4 update 5 x86_64

Oracle Business Intelligence Enterprise Edition (OBIEE) Version 10.1.3.3.2 with Quick Fix 090406 running on Oracle Enterprise Linux 4 update 5 x86_64 122-B CERTIFICATION REPORT No. CRP250 Business Intelligence Edition (OBIEE) Version 10.1.3.3.2 with Quick Fix 090406 running on update 5 Issue 1.0 June 2009 Crown Copyright 2009 All Rights Reserved Reproduction

More information

IT SECURITY POLICY (ISMS 01)

IT SECURITY POLICY (ISMS 01) IT SECURITY POLICY (ISMS 01) NWAS IM&T Security Policy Page: Page 1 of 14 Date of Approval: 12.01.2015 Status: Final Date of Review Recommended by Approved by Information Governance Management Group Trust

More information

A. Reference information. A0. G-Cloud Programme unique ID number for the service and version number of this scoping template

A. Reference information. A0. G-Cloud Programme unique ID number for the service and version number of this scoping template G-Cloud Service Pan Government Security Accreditation Scope This form is intended for Suppliers of services on the G-Cloud to complete. Upon receipt, the G-Cloud Programme will check Section A, Reference

More information

Application Security Report

Application Security Report Application Security Report Application Security Report is an annual SYNTAX publication summarizing the vulnerabilities discovered on application security engagements and provides an insight on current

More information

Cloud Software Services for Schools

Cloud Software Services for Schools Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone Parent Teacher Online

More information

MANAGING DIGITAL CONTINUITY

MANAGING DIGITAL CONTINUITY MANAGING DIGITAL CONTINUITY Project Name Digital Continuity Project DRAFT FOR CONSULTATION Date: November 2009 Page 1 of 56 Contents Introduction... 4 What is this Guidance about?... 4 Who is this guidance

More information

Electronic Palliative Care Co-Ordination Systems: Information Governance Guidance

Electronic Palliative Care Co-Ordination Systems: Information Governance Guidance QIPP Digital Technology Electronic Palliative Care Co-Ordination Systems: Information Governance Guidance Author: Adam Hatherly Date: 26 th March 2013 Version: 1.1 Crown Copyright 2013 Page 1 of 19 Amendment

More information

Cyber Essentials Scheme

Cyber Essentials Scheme Cyber Essentials Scheme Assurance Framework January 2015 December 2013 Contents Introduction... 3 Change from June 2014 version... 3 Overview... 4 Stage Definitions... 5 Stage 1 Cyber Essentials: verified

More information

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00) NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00) Subject and version number of document: Serial Number: Business Continuity Management Policy

More information

Small businesses: What you need to know about cyber security

Small businesses: What you need to know about cyber security Small businesses: What you need to know about cyber security Contents Why you need to know about cyber security... 3 Understanding the risks to your business... 4 How you can manage the risks... 5 Planning

More information

Cyber security organisational standards: call for evidence

Cyber security organisational standards: call for evidence Cyber security organisational standards: call for evidence Department for Business Innovation and Skills This is an Engineering the Future response to the Business Innovation and Skills Cyber security

More information

White Paper. Information Security -- Network Assessment

White Paper. Information Security -- Network Assessment Network Assessment White Paper Information Security -- Network Assessment Disclaimer This is one of a series of articles detailing information security procedures as followed by the INFOSEC group of Computer

More information

Bedfordshire Fire and Rescue Authority Corporate Services Policy and Challenge Group 9 September 2014 Item No. 6

Bedfordshire Fire and Rescue Authority Corporate Services Policy and Challenge Group 9 September 2014 Item No. 6 For Publication Bedfordshire Fire Rescue Authority Corporate Services Policy Challenge Group 9 September 2014 Item No. 6 REPORT AUTHOR: SUBJECT: ASSISTANT CHIEF OFFICER (HUMAN RESOURCES AND ORGANISATIONAL

More information

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES POINT OF VIEW CYBERSECURITY IN FINANCIAL SERVICES Financial services institutions are globally challenged to keep pace with changing and covert cybersecurity threats while relying on traditional response

More information

Mitigating and managing cyber risk: ten issues to consider

Mitigating and managing cyber risk: ten issues to consider Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed

More information

Guidance on Providing Learning and Development (L & D) Services and Cabinet Office (CO) Controls

Guidance on Providing Learning and Development (L & D) Services and Cabinet Office (CO) Controls Annex 11.1 Guidance on Providing Learning and Development (L & D) Services and Cabinet Office (CO) Controls 1. Readership All L & D leads (Departments, Agencies, and NDPBs) All Finance leads All L & D

More information

RISK MANAGEMENT STRATEGY AND FRAMEWORK

RISK MANAGEMENT STRATEGY AND FRAMEWORK Uniting Church in Australia Synod of Victoria and Tasmania RISK MANAGEMENT STRATEGY AND FRAMEWORK Prepared by: Synod Risk Management Committee Date Prepared and Issued: February 2010 S:\AdminFinance\EDAF\Risk

More information

Cyber Security - What Would a Breach Really Mean for your Business?

Cyber Security - What Would a Breach Really Mean for your Business? Cyber Security - What Would a Breach Really Mean for your Business? August 2014 v1.0 As the internet has become increasingly important across every aspect of business, the risks posed by breaches to cyber

More information

CESG CIR SCHEME AND CREST CSIR SCHEME FREQUENTLY ASKED QUESTIONS

CESG CIR SCHEME AND CREST CSIR SCHEME FREQUENTLY ASKED QUESTIONS CESG CIR SCHEME AND CREST CSIR SCHEME FREQUENTLY ASKED QUESTIONS QUESTION General What is the Cyber Security Incident Response (CSIR) Scheme? What is the Cyber Incident Response (CIR) scheme? Why have

More information

www.pwc.co.uk Cyber security Building confidence in your digital future

www.pwc.co.uk Cyber security Building confidence in your digital future www.pwc.co.uk Cyber security Building confidence in your digital future November 2013 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence in

More information